Laptops for acquisi...
 
Notifications
Clear all

Laptops for acquisition from external location - checklist

9 Posts
5 Users
0 Likes
500 Views
SilesianMan
(@silesianman)
Posts: 15
Active Member
Topic starter
 

Hello all,

I am working in the company that has several offices around Europe, however, the digital forensic tasks are being done by one team, based in one of those locations.

It was agreed that acquisition and analysis will be done on place, where the DF team is located. Therefore, I need to create a short document/checklist how laptops should be sent to that team.

I created short list what should be involved/settled prior to sending

*laptop should be turned off/maybe with battery detached if possible
*laptop should be sent together with power supply
*agreement from legal/manager
*serial numbers should be written down
*everything should be packed into the secure courier bag, bag's number should be recorded if possible
*package must be send with tracking option
*all numbers needs to be sent to the DF team for further verification

Decryption keys are done on the DF side.

Do you think of anything else that might be needed in such scenario?

Thank you in advance for any help. Have a great New Year Eve and whole upcoming 2019 )

 
Posted : 31/12/2018 8:46 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Just a thought, but in today's day and age of smart phones, digital photographs of serial numbers is quicker and more accurate than writing them down. Also, you get to see the condition and any additional markings.

 
Posted : 31/12/2018 11:28 am
SilesianMan
(@silesianman)
Posts: 15
Active Member
Topic starter
 

Just a thought, but in today's day and age of smart phones, digital photographs of serial numbers is quicker and more accurate than writing them down. Also, you get to see the condition and any additional markings.

Good point, thank you.

 
Posted : 31/12/2018 12:35 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Hello all,

I am working in the company that has several offices around Europe

How do you dump the memory and preserve it for further analysis? Make a memdump whenever possible and do a complete live analysis before you shut down the device. And check before that you really have the decryption key for Bitlocker or any other full-disk-encryption.

regards,
Robin

 
Posted : 31/12/2018 2:27 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I would add *somewhere* a written document with the procedure to follow when (IF) - tracking or not - the parcel containing the (not imaged/analyzed) laptop is either lost or stolen in transit or given to a wrong addressee by the courier.

Personally (not being in any way a professional in the field, mind you) I wouldn't even think of sending such a not replaceable item via "normal" courier, I would want to choose a very reliable firm for the sending, and that will surely have

*everything should be packed into the secure courier bag, bag's number should be recorded if possible
*package must be send with tracking option

both a tracking method and numbered bags, etc.

Following Bunnysniper advice I would anyway have *something* made "on site".

I believe there are two options
1) a properly trained professional is anyway present on site and prepares the machine for the sending
or
2) a generically trained representative (or the client himself) manages the packing and sending

If the idea is #2 I would think about making a video of the seizing and packing.

In any case, I would want the actual device wrapped inside a "tamper proof" ziplock bag or similar, since there is also the possibility (remote, I know) that the parcel is intercepted and contents modified.

jaclaz

 
Posted : 03/01/2019 10:45 am
SilesianMan
(@silesianman)
Posts: 15
Active Member
Topic starter
 

@jaclaz and @Bunnysniper - thank you both for your answers.

What I am aiming for the future, is to have a trained professional geared up with write blocker, spare HDD/SSDs, evidence bags, etc. to make a copy on site, if possible. That's the future, for now, what we can do is to make sure, that all stuff will be sent to the DF team is secure manner.

Thank you and wish you all the best for 2019! )

 
Posted : 04/01/2019 9:18 am
(@urq82)
Posts: 10
Active Member
 

Hi,

Have you at all considered performing remote triage and acquisition before considering sending computers to the central team? I assume that the corporate computers are connected to a corporate network and powered on in many use-cases.

I have worked with several clients who have implemented a process similar to what I interpret your requirements are. I.e. use of e.g. F-Response together with Encase (or other tools), performing either covert or overt triage / acquisition / review in a timely manner.

Lawful Conditions
Overt - with consent
Overt - by authority
Covert - by authority

Also memory acquisition as mentioned previously is possible to include in process. Acquisition to a local storage server or if bandwidth is ok directly to central site. Often other storage (such as user home drive) needs to be considered as well in the process.

Having computers/drives sent by courier between network connected sites is in my view not often required - and due to time constraints from an corporate investigation perspective, many times undesired. If an initial triage review defines that the computer should be secured for a future legal process, this can many times be done locally at the site involved.

I tried to attach a process picture of a "digital investigation readiness plan" but could not find a way to include a .jpg! Is there a solution to this in the forum?

 
Posted : 02/02/2019 2:58 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I tried to attach a process picture of a "digital investigation readiness plan" but could not find a way to include a .jpg! Is there a solution to this in the forum?

Naah, we don't have that kind of feature on the forum.

Attachments?
Luxury!
Why in my day …

http//reboot.pro/topic/1908-why-in-my-day/

You need to upload it *somewhere* and post a link to it.

jaclaz

 
Posted : 02/02/2019 3:52 pm
(@urq82)
Posts: 10
Active Member
 

OK jaclaz!

http//tinypic.com/r/2e67eh4/9

See if this works out for a while.

 
Posted : 02/02/2019 10:33 pm
Share: